[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: I-D ACTION:draft-coene-multi6-sctp-00.txt

To: <john.loughney@nokia.com>, <lode.coene@siemens.com>
Subject: RE: I-D ACTION:draft-coene-multi6-sctp-00.txt
From: "marcelo bagnulo" <mbagnulo@ing.uc3m.es>
Date: Tue, 3 Feb 2004 15:17:04 +0100
Cc: <multi6@ops.ietf.org>
In-reply-to: <DADF50F5EC506B41A0F375ABEB320636D44C07@esebe023.ntc.nokia.com>
Reply-to: <mbagnulo@ing.uc3m.es>

Hi John,

> You were quick.  A small preface before I get to your points.  I worked
> with Lode to get this document done by Friday, it could stand
> some improvement.
> Additionally, the SCTP multihoming document needs updating.  We
> can try to get
> these both updated before Seoul.

Thanks for providing this doc so fast. IMHO the SCTP POV is important.

>
> Secondly, my general feeling is that SCTP is one tool for Multi6 - I am
> not sure if it is the entire answer.  I think we need to discuss this.

I agree with you, IMHO SCTP is just one of the tools that can be used to
preserve established communications in mh environments

>
> Finally, there have been some interesting ideas on how to transition SCTP
> on the ietf.org mailing list, I am not sure if they should/could
> be discussed in
> this document. If so, I can try to capture some of them when we
> update the document.

I don't know about the document, but i would find useful to understand how
easy is to migrate to sctp, this would have a great impact on the
deployability of the solution.


> This I can include.  In a way, SCTP employs a return
> routable-like mechanism
> in the initialization phase.

Ok, and this would be acceptable from a security POV becuase it only affect
this particular connection and not all the present and future connections of
this host

>
> > Another comment is about how does an sctp solution deals with ingress
> > filtering?
>
> In what way do you mean?  SCTP has some resistence to DoS-style attacks,
> like SYN floody, by way of its setup.  This won't solve
> everything, of couse,
> I am sure that hackers will find other ways to cause mischief.

No, this is not a security issue, sorry if my writing was misleading. this
is a functional issue.
Please check section 3.3 of draft-huitema-multi6-hosts-02.txt for a detailed
explanation
Basically you have to make sure that the packets are not filtered by ingress
filters that is you have to make sure that the source address contained in
the packets is the correct one (or that the exit router through which the
packet is carried is the appropriate one)

Regards, marcelo


>
> thanks,
> John

References:
- RE: I-D ACTION:draft-coene-multi6-sctp-00.txt
  - From: <john.loughney@nokia.com>

Prev by Date: RE: I-D ACTION:draft-coene-multi6-sctp-00.txt
Next by Date: new draft available
Previous by thread: RE: I-D ACTION:draft-coene-multi6-sctp-00.txt
Next by thread: Re: I-D ACTION:draft-coene-multi6-sctp-00.txt
Index(es):
- Date
- Thread